What to Do If You Are a Victim of Phishing?
- 1 What is Phishing?
- 2 How Phishing Works?
- 3 Types of Phishing
- 4 How to Recognize a Phishing Email
- 5 What to Do If You Receive a Phishing Email?
- 6 What to Do if it was Too Late and You’re Now a Victim of
- 6.1 1. Yes, it’s time to panic, but DON’T.
- 6.2 2. Disconnect from the internet.
- 6.3 3. Change your passwords.
- 6.4 4. Contact the alleged company/organization that has been spoofed.
- 6.5 5. Scan your computer for viruses or malware.
- 6.6 6. Watch out for signs of identity theft.
- 6.7 7. File a report with the Federal Trade Commission
- 6.8 8. Protect yourself against future phishing attacks.
- 6.9 9. Report the Phishing
What is Phishing?
Phishing is a type of fraud often used to steal user data, including login credentials and credit card numbers. It occurs when a hacker, pretending as a trusted entity, fools a victim into opening an email, instant message, or text message. The recipient is then tricked into clicking a malicious link, which can lead to the installation of malware, the freezing of the system as part of a ransomware attack, or the revealing of sensitive information.
How Phishing Works?
Here’s how most phishing works.
First, you will receive an urgent message, email, or text message. It looks like from a trusted source such as your employer, your school, HR, your bank, or the IT of your company.
This email will ask you to click a link or download an attachment. A link will take you to a fake login page; sometimes it looks like a google login page, or Facebook page, or a page asking you to grant permission. If you download the attachment, it will install malicious software or malware. This is how phishers get your personal data—without you even realizing it. Once they got your login details, you’re doom!
Types of Phishing
Tech Support Scams
This type of scam wants you to believe that you have a serious problem with your computer or account such as viruses, expired applications or potential marks of unusual login activity.
Many are designed poorly with bad grammar, etc. but others look legitimate enough for someone to click if they weren’t paying close attention.
Macros with Payloads
Malicious macros in phishing emails have become an increasingly common way of delivering ransomware in the past year. A macro is an automated input sequence that imitates keystrokes or mouse actions. A macro is typically used to replace a repetitive series of keyboard and mouse actions and is prevalent in spreadsheet and word processing applications like MS Excel and MS Word.
These documents often get past anti-virus programs with no problem. The phishing emails contain a sense of urgency for the recipient. If users fail to enable the macros, the attack is unsuccessful.
Malicious Facebook Messages
Several Facebook users received messages from users, usually their friends, and even from family members. Sometimes telling them someone posted a malicious video/photo of them and then will give a link. Users who clicked the file to open it were redirected to a spoofed Youtube page. The fake Youtube page will prompt users to install two Chrome extensions. It’s allegedly needed to view the (non-existent) video on the page.
Whaling (CEO Fraud Scams/Business Email Compromise Attack)
Whaling typically involves an attacker imitating the company’s CEO or another high-level executive and sending emails to lower-level employees directly to elicit an intended reaction. The goal could be to gain access to sensitive data or to get significant funds via wire transfers.
This involves a phisher using the language, design, and “feel” of a legitimate message from a company and creating a virtually identical, malicious version of it.
For example, if someone regularly receives legitimate package tracking emails from FedEx, DHL, or USPS, they won’t really read every email thoroughly. They won’t check any apparent differences from the ones they previously received. They’re more likely to simply skim the email or jump directly to clicking on the fake tracking link. All it takes is one moment of unawareness — and that’s what criminals are counting on.
It occurs when a phisher sends emails with false domain names which appear legitimate, or by setting up websites with slightly altered characters that read as correct. Commonly, a spoof website or email will use logos, or any other kind of accurate visual design to effectively imitate the styling and branding of a legitimate enterprise or business. Users will commonly be prompted to enter financial details or other sensitive data, trusting that they are being sent to the right place.
An evil twin is a fraudulent Wi-Fi access point that appears to be legitimate but is set up to eavesdrop on wireless communications. The evil twin is the wireless LAN equivalent of the phishing scam.
This type of attack may be used to steal the passwords of unsuspecting users. It’s either by monitoring their connections or by phishing, which involves setting up a fraudulent web site and luring people there. They can also eavesdrop on their network traffic to gather personal and corporate information without the knowledge of the victim.
As more of the web further embrace HTTPS and SSL certificates, it’s becoming a requirement that phishers use it, too. This type of phishing is pretty straightforward — yet amazingly effective. The trick to this type of phishing method is that the criminal sends an email with only a legitimate-looking link in the body — either in a clickable- or non-clickable format.
Smishing stands for “SMS phishing.” Smishing is when someone tries to trick you into giving them your private information via a text or SMS message. In a nutshell, it’s a way for phishers using text messages that appear to come from legitimate sources to lure users into downloading malicious payloads via malicious URLs. The links could appear to be a coupon code from a restaurant or gift certificates.
In this type of trick, phishers customize their attack emails with the target’s name, position, company, work phone number, and other information. They will trick the recipient into believing that they have a connection with the sender. The goal is the same as deceptive phishing, even so: trick the victim into clicking on a malicious URL or email attachment so that they will hand over their personal data.
It stands for “voice phishing.” It is a form of phishing via phone.
Other forms of vishing include criminals pretending to be your bank, credit card company, or even a luxurious hotel. They will tell you that you’ve won a free vacation or something else. You just need to provide some personal information.
It is a cyber-attack intended to redirect a website’s traffic to another, fake site. Pharming can be conducted either by changing the host’s file on a victim’s computer or by the exploitation of a vulnerability in DNS server software.
How to Recognize a Phishing Email
1. Check the Email Sender
A phishing email usually uses a public email domain. Which means it came from an email address ending in @gmail.com.
Look at the email address, not just the name of the sender. Some advanced phishers even use bogus email addresses with spoofed organization’s name in the local part of the address.
2. Check for Misspelled Words
There’s another clue hidden in domain names that provide a strong indication of phishing scams – and it, unfortunately, complicates our previous clue.
The problem is that anyone can buy a domain name from a registrar. They will choose something that you won’t notice right away.
Like for example, rnobile instead of mobile.
3. The Email is Poorly Written
You can often tell if an email is a scam if it contains poor spelling and grammar. Many of the phishers are from non-English-speaking countries and from backgrounds where they will have limited access or opportunity to learn the language.
With this in mind, it becomes a lot easier to spot the difference between a typo made by a legitimate sender and a scam.
4. It Includes Suspicious Attachments of Links
Phishing emails come in many forms, but the one thing they all have in common is that they contain a payload. This will either be an infected attachment that you’re asked to download or a link to a fake website that requests a login and other sensitive information.
5. The Email Seems to be Very Urgent
Many scams request don’t give you time to think. They make it look like that if you don’t act now, it’ll be too late.
6. May Contain the Following Stories:
- There are a suspicious activity or log-in attempts
- claim there’s a problem with your account or your payment information
- offer a coupon for free stuff
- say you must confirm some personal information before you get the freebie
- include a fake invoice
- want you to click on a link to make a payment
- say you’re eligible to register for a government refund
- you won a lottery
What to Do If You Receive a Phishing Email?
If you receive a phishing email, it can be a bit scary. Fortunately, nothing will happen to your computer if you don’t click any links or respond. Here’s what to do (and what not to do) if you receive a phishing email.
1. Don’t Panic and Don’t Click Any Links or Do not Download Any Attachments
When you get a suspected phishing email, don’t panic. Modern email clients, like Outlook, Gmail, and Apple Mail, do a great job of filtering out emails that contain malicious code or attachments. Just because you receive a phishing email, it doesn’t mean your computer is infected with a virus or malware. Do not download anything from the phishing email and do not click anything.
2. Check with the Sender but Do Not Reply on the Email
If a suspicious email appears to be from someone you know or a company you use, check with them to see if the message is legitimate. Do not reply to the email. If it appears to be from someone you know, create a new email message or text or call the person and ask if they sent you the mail. Don’t forward the email, as that spreads the potential phishing attack, instead take a screenshot and send it to the alleged sender to confirm if it was from them.
3. Report the Email
Report the email to your company, your email provider, a government body, or the organization the email is allegedly from.
Share the email (do not forward it) to your friends, family, and coworkers to warn them.
4. Mark the Sender as Junk or Spam
You probably don’t want to get any more emails from the person who sent this one. Mark it as spam or junk, and your email client will block any further mail from that address.
5. Delete the Email Forever
Once it is on your spam, there is an option to delete it forever, do that.
What to Do if it was Too Late and You’re Now a Victim of Phishing?
1. Yes, it’s time to panic, but DON’T.
Inhale and exhale. Take a few deep breaths to calm your nerves and plan your next steps. Remember that falling for a phishing scheme doesn’t necessarily mean that your identity will be stolen. Phishing schemes vary, so identify first which type of phishing are you caught into.
2. Disconnect from the internet.
If you download an attachment from the phishing email, immediately turn off wi-fi and disconnect from the internet. If you remove the phisher’s access to your computer quickly enough, you may be able to stop them from installing malware or gaining remote access to your computer.
And if you clicked on a link to a fraudulent website, try to remember exactly what information (username, password, address) you entered. Take screenshots of the phishing email or jot down details such as the sender’s email address, the content of the email, and the URL that you clicked.
Then immediately do step 3.
3. Change your passwords.
You clicked a link on the phishing email that directed you to a site. Might be your bank, email service, or social media account, log in to the real site and change your password.
If you use the same password for multiple accounts—which you shouldn’t do—change the passwords for the other accounts as well. Take the extra time to change any password hints or security questions. Take a look at your profile or recent activity to see if the phisher did any damage or made any purchases using your account.
4. Contact the alleged company/organization that has been spoofed.
Report the phishing scheme to the company—whether it’s your email provider, your utility company, your bank, or your employer—that the phisher impersonated. Let the company know that you changed your password, and follow their instructions for safeguarding your information and your account. If you gave out financial information, you might need to cancel your existing card and get a new one.
5. Scan your computer for viruses or malware.
Whether you downloaded an attachment or clicked on a link, it’s a good idea to scan your computer for viruses and malware. Anti-virus software can examine your computer, alerting you to any files that may have been infected. You can also do a system restore to undo any installed malware.
6. Watch out for signs of identity theft.
If you’ve revealed any financial information or other sensitive information, you should watch for signs of identity theft.
What is identity theft? Identity theft, also known as identity fraud, is a crime in which a fraud obtains key pieces of personally discernable information. It could be your Social Security or driver’s license numbers. And he/she will use them to imitate you.
Watch out your credit card statements. You can ask your bank to alert you for any unusual activity.
7. File a report with the Federal Trade Commission
If you see signs that your identity has been stolen, report the theft to the Federal Trade Commission (FTC). The FTC will guide you through the steps to take whether your information was stolen from your credit card account, utilities, checking and savings, or medical insurance. You should also place a fraud alert on your credit report to make it harder for criminals to rack up charges using your identity. The alert lasts for 90 days, but you can renew it if you need more time.
8. Protect yourself against future phishing attacks.
If you get an email that looks like it’s from your bank, credit card company, or social media accounts, take a moment to sift through it. Instead of revealing any personal information, go directly to the website to log in or call the company to determine if the email is genuine.
a. Install a Computer Security Software and Use it
Protect your computer by using security software. Also, update it automatically.
b. Protect Your Mobile Phone as well
Protect your mobile phone by setting software to update automatically. These updates could give you critical protection against security threats.
c. Use 2FA or another multi-factor authentication.
Multi-factor authentication makes it harder for scammers to log in to your accounts if they do get your username and password.
d. Backup your data!
9. Report the Phishing
- If a tech support scammer contacts you, report it to the Federal Trade Commission.
- Forward phishing emails to firstname.lastname@example.org and email@example.com.
- Report it to the FTC at ftc.gov/complaint.
Anyone can mistakenly fall victim to a phishing scheme or other identity breach, so you must stay in the know. Now that you know how to recognize phishing scams share what you learned with someone you know. You might help them avoid them.